If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Foot Printing with Host

The Tutorial is also attached and available for download.

The host command is perhaps one of the most valuable if you are trying to do some enumeration of your system, or anyone else's. The host command will help you find machines, as well as the properties of many of the same machines, so that you can get a better idea of what is out there early on.

Using it in conjunction with a few other trusty commands, you can garner a lot about nearly any computer system or network.

The system that I'll be using in these examples is real, and is letnet.net, the system for my school's network.

You can, after typing in the hostname you wish to look-up, type in the server that you wish to look it up in. For example:

"QUERY 1" tells us that there was only one host request, while "ANSWER: 2" says that two different things returned, which means that there were are seperate routers, computers, or subnets running directly under the address which was originally queried.

You can also use it to do a reverse look-up on IP Addresses. When we take one of the IP addresses that was returned when we typed in "host letnet.net"

;; ADDITIONAL SECTION:
david.letnet.net. 3600 IN A 10.0.2.5
solomon.letnet.net. 3600 IN A 10.0.4.11
rachael.letnet.net. 1200 IN A 10.0.2.20

Received 215 bytes from 10.0.2.5#53 in 3 ms

As you can see, this not only gives us a more complete listing of machines, but it also gives us the data on several of the machines hooked up to letnet.net, including their IP Address, which saves us the trouble of doing a reverse look-up later on.

This is a very useful command, and is a large part of the foot-printing process.

One thing that is very odd is that one machine that is hooked up to the network, seth.letnet.net. When I do a query of it:

So we can see that my IP address, within the network, is 10.31.162.90 (this is quite accurate.) The DNS can also reveal a good bit of information if you know how to read it...

DBurnet is my machine. ph1 refers to Penn Hall, Resnet is the Resident network, letnet.net being the main network. If you know a bit about the network or the lay-out of the area, you can read a bit into the DNS reports.

At the bottom of that report, we see that all of this information comes from the IP address 10.0.2.5. We can either scroll up to find out what this is, or in the case that it isn't listed...

Sthepenake is the computer name, thom1 is the floor he lives on, resnet and letnet.net are the same as above. Once more, the DNS tells us the location of the computer, both physically and on the network.

Now lets try using the host command on one of the sub-addresses above, which for now we can assume are routers.

;; ANSWER SECTION:
resnet.letnet.net. 600 IN A 10.0.2.80
resnet.letnet.net. 600 IN A 10.0.2.75

Received 67 bytes from 10.0.2.5#53 in 2 ms

This reveals a fair amount of information to us, and once again reveals the controlling computer to be 10.0.2.5, or David. So obviously that computer is vital, and should be doubly protected from attack.

Later on, we'll see that 10.0.2.5 is always the returning IP address, for every one of my scans, including those of completely unrelated networks. It seems to either be the location for their proxy or their firewall. If we followed the logic above purely, we would have reached the right conclusion for the wrong reasons. Many ISPs will give the same result, as will many networks, if you happen to be on the inside of one.

Let's find out exactly what the other two IP addresses were, shall we?

;; ADDITIONAL SECTION:
david.letnet.net. 3600 IN A 10.0.2.5
solomon.letnet.net. 3600 IN A 10.0.4.11
rachael.letnet.net. 1200 IN A 10.0.2.20

Received 215 bytes from 10.0.2.5#53 in 3 ms

This very bit of information came from david. So david may be the network controlling computer. This is re-inforced by the second to last line in the answer section:
letnet.net. 3600 IN SOA david.letnet.net. admin. 189955 900 600 86400 3600

Basic queries of the other computers, solomon and rachael turn up void, and do not seem to be of much help at the moment.

At this point, we're pretty much done with footprinting for letnet.net. Let's do a quick nmap of david.letnet.net, just to see what's there:

maccurdy@DBurnet:~&gt; nmap david.letnet.net

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-12-03 16:10 CST
Interesting ports on david.letnet.net (10.0.2.5):
(The 1623 ports scanned but not shown below are in state: closed)
Port State Service
42/tcp open nameserver
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open loc-srv
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1026/tcp open LSA-or-nterm
1029/tcp open ms-lsa
1058/tcp open nim
1068/tcp open instl_bootc
1723/tcp open pptp
2105/tcp open eklogin
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3372/tcp open msdtc
3389/tcp open ms-term-serv
27000/tcp open flexlm0

Wow. That would make some people VERY happy. :-) It is interesting to note that the exact same ports are open on david.letnet.net as just at letnet.net. This is either purely by chance or by coincidence.

Now, let us take a look at a completely different server, one that happens to be the one hosting my website.

;; ADDITIONAL SECTION:
mail.ns.thehostgroup.com. 86400 IN A 208.56.139.98
ns.thehostgroup.com. 86400 IN A 208.56.139.98
ns2.thehostgroup.com. 86400 IN A 64.177.65.2

Received 229 bytes from 10.0.2.5#53 in 51 ms

You'll notice here that we're still getting results from 10.0.2.5, which is david.letnet.net. Its probably the proxy or firewall, as I mentioned above.

Hmm. No new servers this time. I'm willing to wager that we're dealing with closely related servers, if not a real, live virtual server. Let's compare the IP address given for ns2.thehostgroup.com to that given to nintendogeneration.com
64.177.65.2 for ns2.thehostgroup.com
64.177.96.218 for nintendogeneration.com

So now let's review exactly what the host command has brought us so far:
It has revealed four machines/routers running under letnet.net, as well as pointed to the one which seems to be most critical (firewall/proxy).
We've been able to find DNS sub-domains, and guess at the physical location of computers from them. (If you know about about the network location and the lay-out of it from before hand, useful for schools or businesses that you've had dealings with.)
We've found related domains, and have been able to accurately guess that a domain is a part of a virtual server, with DNS splits, routers, and other fun stuff.
Lastly, we've found our way to the core computer on several networks.

host is a very powerful command for footprinting a system, if you're either doing a security audit or just doing some light probes. After some skillful host probes and nmaps, you'll find your far more prepared to attack or defend a network, or at least understand it better.

So far I have not found it. However, to simulate many shell commands while using Windows, I would recommend cygwin. I know that atleast one version of cygwin did not come with the host command, but the newer ones might' (and its still a good thing to be able to use some shell commands while running Windows.)

One question: you're using the HOST command - a very similar command for Windows platforms is NSLOOKUP (Ikalo - take note here). Have you found any signficant differences between the two utilities in terms of functionality or use?

Ikalo - using NSLOOKUP from the Windows command shell will give you the ability to go between domain names and IP addresses. You can also change the authoritative DNS server using the "SERVER [new dns server]" command once inside NSLOOKUP. Look through the help file (type HELP inside nslookup) for more detail.